Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] [OT] Generating EFS Recovery Certificate
Prev Next
You are not authorized to post a reply.

AuthorMessages
bbernie1@xxxx.yyy

01/05/2006 3:38 AM  
Sorry for the off topic question. Here is the background...
Remember when you first bring up a DC and it generates a self-signed EFS Recovery Certificate? Well what do you do when you don't know about that and 5 years down the road you want to implement a recovery solution and that original DC is long gone?

Well one way would be you can use Cipher.exe to generate another EFS Recovery cert and create a domain recovery agent using that cert and re-touch all your encrypted files across each PC.

Great, no biggie. But let's say you want to put the this cert on a secure USB key fob, so it's cant be copied off or tampered with but your unnamed vendor doesn't support certs that are issued out for 100 years.

So basically I need another way to generate a EFS Recovery Certificate that doesn't go out for 100yr, I'd like to control the issuing date. Does anyone know another way to go about this? It is unknown to me if I can use the Crypto API to generate a self-signed cert with whatever the EFS Recovery OID is. Thanks again for any input!

-Brandon
tech4steveUser is Offline

Posts:17

01/05/2006 6:05 AM  
You can use an MS Ent CA to do this ( just copy and
edit the V2 template) .. or you should be able to  specify the
OID "1.3.6.1.4.1.311.10.3.4.1 "  in your call to CryptEncodeObject to
create one. Optionally, you can try makecert.exe ( but I have never tried this )


spat


----- Original Message -----
From:
Bernier, Brandon
(.)
To: ActiveDir@xxxxxxxxxxxxxxxxxx

Sent: Thursday, January 05, 2006 7:14
AM
Subject: [ActiveDir] [OT] Generating EFS
Recovery Certificate

Sorry for the off topic question. Here is the
background...
Remember when you first bring up a DC and it
generates a self-signed EFS Recovery Certificate? Well what do you do when you
don't know about that and 5 years down the road you want to implement a
recovery solution and that original DC is long gone?
Well one way would be you can use Cipher.exe to
generate another EFS Recovery cert and create a domain recovery agent using
that cert and re-touch all your encrypted files across each PC.
Great, no biggie. But let's say you want to put
the this cert on a secure USB key fob, so it's cant be copied off or tampered
with but your unnamed vendor doesn't support certs that are issued out for 100
years.
So basically I need another way to generate a EFS
Recovery Certificate that doesn't go out for 100yr, I'd like to control the
issuing date. Does anyone know another way to go about this? It is unknown to
me if I can use the Crypto API to generate a self-signed cert with whatever
the EFS Recovery OID is. Thanks again for any input!
-Brandon
bbernie1@xxxx.yyy

01/05/2006 7:48 AM  
If only we had an
enterprise CA implemented.....You were right about makecert.exe if you wanted to
do it and have the cert look just like the cipher.exe one it would look like
this. The only down side to make cert is that it doesn't make a .pfx file so you
need to manually create that. Thanks for the help!

makecert -r
-pe -n "OU=EFS File Encryption Certificate,L=EFS,CN=Administrator" -a sha1 -e
12/31/2008 -eku 1.3.6.1.4.1.311.10.3.4.1  -ss my
testefs.cer

-Brandon
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of steve
patrickSent: Thursday, January 05, 2006 12:59 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] [OT] Generating
EFS Recovery Certificate

You can use an MS Ent CA to do this ( just copy and
edit the V2 template) .. or you should be able to  specify the
OID "1.3.6.1.4.1.311.10.3.4.1 "  in your call to CryptEncodeObject to
create one. Optionally, you can try makecert.exe ( but I have never tried this )


spat


----- Original Message -----
From:
Bernier, Brandon
(.)
To: ActiveDir@xxxxxxxxxxxxxxxxxx

Sent: Thursday, January 05, 2006 7:14
AM
Subject: [ActiveDir] [OT] Generating EFS
Recovery Certificate

Sorry for the off topic question. Here is the
background...
Remember when you first bring up a DC and it
generates a self-signed EFS Recovery Certificate? Well what do you do when you
don't know about that and 5 years down the road you want to implement a
recovery solution and that original DC is long gone?
Well one way would be you can use Cipher.exe to
generate another EFS Recovery cert and create a domain recovery agent using
that cert and re-touch all your encrypted files across each PC.
Great, no biggie. But let's say you want to put
the this cert on a secure USB key fob, so it's cant be copied off or tampered
with but your unnamed vendor doesn't support certs that are issued out for 100
years.
So basically I need another way to generate a EFS
Recovery Certificate that doesn't go out for 100yr, I'd like to control the
issuing date. Does anyone know another way to go about this? It is unknown to
me if I can use the Crypto API to generate a self-signed cert with whatever
the EFS Recovery OID is. Thanks again for any input!
-Brandon
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] [OT] Generating EFS Recovery Certificate



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:29
MembersMembers:0
TotalTotal:29
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use